Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and device for detecting Trojan in non-executable file

A technology for executing files and detection methods, applied in computer security devices, instruments, electrical and digital data processing, etc., can solve the problems of illegal function call difficulty, inability to fundamentally distinguish between normal program behavior and suspicious program behavior, etc., to ensure reliable sexual effect

Active Publication Date: 2010-09-08
XIAMEN MEIYA PICO INFORMATION
View PDF0 Cites 24 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The disadvantage of this method is: on the one hand, it is difficult to determine whether these functions are illegal calls. For example, some methods use the legality of the address of the function call to determine whether the system function call is from illegal memory. address (for example, heap address or stack address), but this method can be bypassed by forging the call address, and using the system function address as a springboard to pretend to be a system call to avoid monitoring; on the other hand, the implementation of this method is often at At the user privilege level, therefore, the monitoring can be bypassed by ending the process or anti-hooking
Because this kind of detection and killing method relies solely on behavioral characteristics to judge whether a program’s behavior is credible, there is a big problem, so it is impossible to fundamentally distinguish between normal program behavior and suspicious program behavior, and because the hanging horse of a non-executable document is used Open the program's overflow to execute code and, therefore, tend to be considered trusted
Obviously, there are blind spots in the method of relying solely on behavioral characteristics in monitoring non-executable document Trojans

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting Trojan in non-executable file
  • Method and device for detecting Trojan in non-executable file
  • Method and device for detecting Trojan in non-executable file

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0029] Referring to the accompanying drawings, a non-executable file hanging horse detection method of the present invention comprises the following steps:

[0030] Determine the non-executable document to be detected by the detection program 11 arranged in the user layer 1 of the operating system, and open the process information of the non-executable document;

[0031] The process communication of opening the non-executable document is monitored by the monitoring module 21 arranged at the operating system kernel layer 2;

[0032] The monitoring module 21 of operating system kernel layer intercepts the creation file operation of monitoring process, judges whether the creation file extension of this non-executable document is suspicious, if then informs the detection program 11 of operating system user layer to suspend process, warn the user, record Suspicious behavior and prohibit execution, if not continue to monitor;

[0033] The monitoring module 21 of the kernel layer of...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and a device for detecting Trojan in a non-executable file. Based on the Trojan property of the non-executable file, a process to be monitored is determined by operating a detection program of a system user layer and file creating operation of the process is monitored by operating a monitoring module of a system kernel layer to judge whether a file extension name is an executable file extension name under the system or not and judge whether the format of a written file contains the format characteristic of the executable file under the system or not so as to judge whether the program releases the executable file or not, namely, whether the Trojan exists in the non-executable file or not. The method and the device can effectively ensure the Trojan detection reliability for the non-executable file and is suitable for processing batch non-executable files and suitable for various operation systems.

Description

technical field [0001] The invention relates to a method for checking and killing viruses of non-executable files, in particular to a method and a device for detecting a horse hanging from a non-executable file. Background technique [0002] At present, non-executable documents, such as word, excel, powerpoint, pdf, etc., have been increasingly used to spread Trojan horses. These non-executable documents can often take advantage of overflow vulnerabilities to carry viruses or Trojan horse files, and when the program that opens the document generates an overflow, it can obtain execution authority, thereby generating and running a Trojan horse file. Since the virus or Trojan files hidden in the non-executable files are highly concealed, general antivirus software cannot completely detect and kill them, and those non-executable files carrying viruses or Trojan files are often System security caused great harm. [0003] At present, there are mainly three methods for virus dete...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/00G06F21/22G06F21/56
Inventor 吴鸿伟张永光张婷
Owner XIAMEN MEIYA PICO INFORMATION
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com